XSS in Yeswiki

CVE-2026-34598

YesWiki is a wiki system written in PHP. Prior to version 4.6.0, a stored and blind XSS vulnerability exists in the form title field. A malicious attacker can inject JavaScript without any authentication via a form title that is saved in t…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.001 (24.0th percentile) — read the EPSS interpretation.

Affected products

Yeswiki — versions < 4.6.0

Weakness classification (CWE)

References

https://github.com/YesWiki/yeswiki/security/advisories/GHSA-37fq-47qj-6j5j (x_refsource_CONFIRM)
https://github.com/YesWiki/yeswiki/releases/tag/v4.6.0 (x_refsource_MISC)